macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks

North Korean advanced persistent threat (APT) groups are mixing and matching components of two recently unleashed types of Mac-targeted malware to evade detection and fly under the radar as they continue their efforts to conduct operations at the behest of the Kim Jong Un regime.

Lazarus and one of its spinoffs, BlueNoroff, recently debuted KandyKorn and RustBucket, respectively, two kinds of malware representing the North Korean threat groups' forays into targeting macOS machines. The malware is being used to attack cryptocurrency exchanges and other financial institutions to raise money for Kim's government.

Now the groups are taking further evasive steps by mixing loaders and other components of those malwares in various attacks aimed at throwing security researchers and victims off their trail, researchers from SentinelOne revealed in a blog post published Nov. 28.

As is typical with North Korean APTs — which recently demonstrated an organization and alignment of resources and tactics to achieve common goals — the details of the new activity are a dizzying mix of stagers, loaders, and payloads, some of which appear to be a part of entirely new campaigns.  

Once the researchers peeled back the curtains, however, they discovered that the ultimate payloads being used are ones recently uncovered — sometimes in new variant form. It's merely the attack setups and related components that vary, revealing more about how the threat operations aim to confuse both organizations under attack and those tracking the groups, they said.

"Our analysis corroborates findings from other researchers that North Korean-linked threat actors' tendency to reuse shared infrastructure affords us the opportunity to widen our understanding of their activity and discover fresh indicators of compromise," SentinelOne threat researcher Phil Stokes wrote in the post.

Malware Melee: APTs Mix It Up

Last month, threat researchers uncovered two new types of malware being used by North Korean APTs to target macOS in the groups' typical endeavors to steal crypto and other funds to bankroll Kim's regime.

The KandyKorn remote access Trojan (RAT), revealed in a report by Elastic Security Labs, was the more sophisticated of the two, with a full-featured set of capabilities to detect, access, and steal any data from the victim's computer, including cryptocurrency services and applications.

RustBucket, meanwhile, used a rudimentary reverse shell called "ObjCShellz" to compromise new targets and was characterized as "dumbed down" but effective by Jamf Threat Labs. It also used a second-stage payload dubbed "SwiftLoader," which functioned externally as a PDF Viewer for a lure document sent to targets.

The latest campaigns featuring those malwares show a mix-and-match approach to the previous attack flow, SentinelOne discovered.

In one RustBucket attack that appeared at first "to be an entirely different campaign," attackers used a first stage AppleScript applet and a Swift-based application bundle called "Internal PDF Viewer.app," which used specially crafted PDFs to unlock code for downloading a Rust-based payload, according to the SentinelOne blog post. This deviated from the original attack flow being used to deploy the malware in previous campaigns.

Loader Pivots Between Types of Malware

SentinelOne also has observed various RustBucket variants as well as new variations of its Swift-based stager, collectively dubbed SwiftLoader. While some of these continued to be distributed with the name “InternalPDF Viewer," as in previous campaigns, the researchers also spotted a variant called "SecurePDF Viewer."

"This application was signed and notarized by Apple (since revoked) by a developer with the name 'BBQ BAZAAR PRIVATE LIMITED (7L2UQTVP6F),'" Stokes wrote. The variant requires at least macOS 12.6 (Monterey) and is capable of running on both Intel and Apple silicon devices.

Meanwhile, what Jamf researchers identified as ObjCShellz in the previous RustBucket campaigns is now what SentinelOne researchers think is "a later stage of the SwiftLoader SecurePDF Viewer.app," which North Korean attackers now may be using to deploy KandyKorn.

SentinelOne also identified other versions of SwiftLoader in the wild, including one distributed in a lure called "Crypto-assets and their risks for financial stability[.]app[.]zip," which has "some interesting overlaps" with the KandyKorn operation.

"This application is also signed and notarized by Apple (since revoked) by a developer with the name 'Northwest Tech-Con Systems Ltd (2C4CB2P247),'" Stokes wrote. The bundle identifier is com.EdoneViewer and the app’s main executable is EdoneViewer, a hardcoded URL that, once decoded, reaches out to a domain to drop a hidden executable, he added.

That domain, on-global.xyz, is similar to tp.globa.xyz, a URL that the KandyKorn Python script reached out for to grab next-stage malware in its previous campaigns. This domain as also was used by SugarLoader, a component used in previous KandyKorn campaigns for initial access to targeted systems, the researchers observed.

SentinelOne included a comprehensive list of indicators of compromise (IoCs) for the various types of malware and components observed in attacks by North Korean APTs to help potential victims identify if they've been compromised.